# Local gateway mac address [optional]; when a value is present, only traffic
# from the local gateway will be permitted. It is quite trivial to forge a MAC
# address and as such this is provided as another layer of route verification.
LGATE_MAC=""

# Enable virtual network subsystem; creats independent policy ruleset for each
# ip on a system (pulls data from 'ip addr list') to /etc/apf/vnet/ip.rules
# Template is located in the vnet/ folder for rule files. This feature can
# reduce apf start/stop performance and is not recommend for systems with more
# than 255 (/24) ip's. [0 = Disabled / 1 = Enabled]
EN_VNET="0"

# Support Monolithic kernel builds [no LKM's]. This mode of operation is
# not really supported and you use at your own risk.
MONOKERN="0"

# Use a dynamic discovery routine to parse and create rules based
# on the local name servers defined in /etc/resolv.conf.
# [0 = Disabled / 1 = Enabled]
RESV_DNS="0"

# With RESV_DNS enabled; all untrusted name server traffic can fill
# the logs with sport 53 traffic. This can be suppressed with an
# implicit drop of all such traffic (sport 53 ingress) as so to avoid
# the log chain.
RESV_DNS_DROP="1"

# You need multicasting if you intend to participate in the MBONE, a
# high bandwidth network on top of the Internet which carries audio
# and video broadcasts. More about MBONE at: www-itg.lbl.gov/mbone/,
# this is generally safe to enable. [0 = Disabled / 1 = Enabled]
BLK_MCATNET="0"

# Block all ipv4 address space marked reserved for future use or
# unassigned; such networks have no business communicating with us.
# However they may at some point become live address space. Refer to
# the 'internals/reserved.networks' file for listing of address space.
# [0 = Disabled / 1 = Enabled]
BLK_RESNET="0"

# This is the maximum number of "sessions" (connection tracking entries)
# that can be handled simultaneously by the firewall in kernel memory.
# Increasing this value too high will simply waste memory; setting it
# too low may result in some or all connections being refused, in paticular
# during denial of service attacks.
SYSCTL_CONNTRACK="24576"

# These are sysctl hook changes to further harden the kernel from
# network attack trends by lowering standard time-out values and other
# time based packet responces. [0 = Disabled / 1 = Enabled]
SYSCTL_TCP="1"

# This sysctl hook will log all internal traffic that is otherwise
# not to/from a local interface and not multicast.
# [0 = Disabled / 1 = Enabled]
SYSCTL_LOGMARTIANS="0"

# This sysctl hook will allow you to enable or disable ECN support
# (Explicit Congestion Notification); this feature provides an

# improved method for congestion avoidance by allowing the network
# to mark packets for transmission later, rather than dropping them
# from the queue. [0 = Disabled / 1 = Enabled]
SYSCTL_ECN="0"

# This sysctl hook will allow you to enable or disable SynCookies
# support; this feature will send out a 'syn-cookie' when the syn
# backlog for a socket becomes overflowed. The cookie is used to
# interrupt the flow of syn transmissions with a hashed sequence
# number that must be corrilated with the sending host. The hash
# is made up of the sending host address, packet flags etc...;
# if the sending host does not validate against the hash then the
# tcp hand-shake is terminated. [0 = Disabled / 1 = Enabled]
# Note: syncookies seriously violates TCP protocol and can result
# in serious degradation of some services (i.e. SMTP);
# visible not by you, but your clients and relays whom are
# contacting your system.

SYSCTL_SYNCOOKIES="0"

# This sysctl hook will allow you to toggle Abort_On_Overflow support;
# This feature will help mitigate burst floods if a listening service
# is too slow to accept new connections. This option is an alternative
# for SynCookies and both should NEVER be enabled at once.
# [0 = Disabled / 1 = Enabled]
# Note: This option can harm clients contacting your system. Enable
# option only if you are sure that the listening daemon can not
# be tunned to accept connections faster.
SYSCTL_OVERFLOW="0"

# Common drop ports; these are implicit ports you do not want logged
# with the default drop chains. Format is comma seperated and underscore
# seperator for ranges (135_139). Ports are droped and ignored for both
# TCP & UDP as well as inbound and outbound.
CDPORTS="135_139,111,513,445,1433,1434,1234,1524,3127"

##
# [Ingress]
# Configure ingress (inbound) accepted services. This is an optional
# feature; services and customized entries may be made directly to an ip's
# virtual net file located in the vnet/ directory. Format is comma seperated
# and underscore seperator for ranges.
#
# Example:
# IG_TCP_CPOR
#old version IG_TCP_CPORTS="21,22,25,53,80,443,110,143,6000_7000"